fix: ship etc/containers/{storage,containers}.conf.d drop-ins (gitignore allowlist)

Kabuki94 · claude · Kabuki94 · commit 8839e8406947 · 2026-05-04T20:48:18.000-04:00
The .gitignore rule `etc/containers/*` blocked everything outside
`/etc/containers/systemd/`, so two MiOS-authored config drop-ins
created in earlier commits never actually reached origin:

  - etc/containers/storage.conf.d/30-mios-additionalstores.conf
    (rootful build store -&gt; rootless distrobox image bridge; the
    Universal Blue / Bazzite additionalimagestores pattern)
  - etc/containers/containers.conf.d/30-mios-rootless-network.conf
    (default_rootless_network_cmd = "slirp4netns" so rootless Quadlets
    work on hosts without /dev/net/tun -- specifically MiOS-DEV WSL2)

Per the MiOS-DEV feature-parity invariant (mios_dev_parity.md): both
drop-ins are unconditional, not WSL-gated. The substrate must support
running every Quadlet the deployed image runs; gating Quadlets off
inside the builder is the wrong direction.

Adds explicit allowlists for `storage.conf.d/30-mios-*` and
`containers.conf.d/30-mios-*` to mirror the existing systemd/mios*
allowlist, and ships the two .conf files that were created on disk
but never tracked.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -108,6 +108,17 @@ etc/containers/*
 !/etc/containers/systemd/
 etc/containers/systemd/*
 !/etc/containers/systemd/mios*
+# storage.conf.d/ -- additionalimagestores bridge so rootless distrobox
+# can read images built into rootful podman storage by the system-scope
+# .build Quadlets (Universal Blue / Bazzite pattern).
+!/etc/containers/storage.conf.d/
+etc/containers/storage.conf.d/*
+!/etc/containers/storage.conf.d/30-mios-*
+# containers.conf.d/ -- per-host podman tunables (rootless network
+# backend, runtime defaults). All shipped .conf files are MiOS-authored.
+!/etc/containers/containers.conf.d/
+etc/containers/containers.conf.d/*
+!/etc/containers/containers.conf.d/30-mios-*
 !/etc/fapolicyd/
 etc/fapolicyd/*
 !/etc/fapolicyd/fapolicyd.rules
diff --git a/etc/containers/containers.conf.d/30-mios-rootless-network.conf b/etc/containers/containers.conf.d/30-mios-rootless-network.conf
@@ -0,0 +1,35 @@
+# /etc/containers/containers.conf.d/30-mios-rootless-network.conf
+#
+# Force rootless containers to use slirp4netns instead of the newer
+# pasta backend.
+#
+# Why: podman 5.x defaults rootless networking to pasta, which opens
+# /dev/net/tun directly. Some MiOS deployment shapes -- notably the
+# MiOS-DEV podman-machine WSL2 distro that operates as the Windows-
+# side build/runtime substrate -- ship without /dev/net/tun (the
+# microsoft-WSL2 kernel does have the tun module compiled in, but the
+# device node isn't created until something modprobes it, and
+# rootless podman runs unprivileged so it can't trigger that).
+#
+# Without this drop-in every Quadlet that uses rootless networking
+# fails at startup with:
+#     pasta[NNNN]: Failed to open() /dev/net/tun: No such file or directory
+#     pasta[NNNN]: Failed to set up tap device in namespace
+#     mios-forge[NNNN]: setting up Pasta: pasta failed with exit code 1
+#
+# slirp4netns is the legacy rootless network backend; it builds an
+# in-process userspace TCP/IP stack instead of using a tap device,
+# so it works on every host without requiring kernel/device support.
+# Slightly slower than pasta on TCP throughput, but functionally
+# identical for everything MiOS does (REST APIs, git push/pull,
+# systemd-managed inbound listeners). Architectural Law 4 (VM |
+# Container | Flatpak only) is unaffected.
+#
+# Per the MiOS-DEV feature-parity contract this drop-in ships on
+# every shape, not gated to WSL -- the substrate either has /dev/net/tun
+# (most hosts) and pasta would have worked anyway, or doesn't (WSL),
+# in which case slirp4netns is the only option. Either way the
+# behavior is consistent across all MiOS deployments.
+
+[network]
+default_rootless_network_cmd = "slirp4netns"
diff --git a/etc/containers/storage.conf.d/30-mios-additionalstores.conf b/etc/containers/storage.conf.d/30-mios-additionalstores.conf
@@ -0,0 +1,22 @@
+# /etc/containers/storage.conf.d/30-mios-additionalstores.conf
+#
+# Bridge rootful podman image storage into rootless users' view.
+#
+# MiOS builds Distrobox base images at boot via .build Quadlets under
+# /usr/share/containers/systemd/ (e.g. mios-aichat.build). Those run
+# in system scope -- the resulting image lands in
+# /var/lib/containers/storage, which rootless podman normally cannot
+# see.
+#
+# Adding it as an `additionalimagestores` entry makes rootless users
+# (and therefore distrobox, which always runs rootless on MiOS) able
+# to *read* images from the rootful store without copy or push. This
+# is the Universal Blue / Bazzite pattern.
+#
+# The store is read-only from the rootless side; rootless writes
+# still go to ~/.local/share/containers/storage as usual.
+
+[storage.options]
+additionalimagestores = [
+    "/var/lib/containers/storage",
+]
